A key locator typically locates a key store
in the file
system. You can configure server and cell-level key locators for a
specific application by using the WebSphere® Application Server administrative
console. You can configure binding information in the administrative
console; however, for extensions, you must use an assembly tool.
About this task
Important: There
is an important distinction
between Version 5.x and Version 6.0.x and later applications.
The information in this article supports Version 5.x applications
only that are used with WebSphere Application Server Version
6.0.x and later. The information does not apply to Version
6.0.x and later applications.
The location of key
stores can vary from machine to machine so it is often helpful to
configure a default key locator for a specific machine and reference
it from within the encryption or signing information. This information
is found within the binding configurations of any application installed
on the machine. This suggestion enables you to define a single key
locator for all applications that need to use the same keys. In a WebSphere Application Server, Network Deployment environment,
you also can specify the default binding information at the cell level.
Procedure
- Configure default key locators at the
server level
- Open the administrative
console.
Type http://localhost:port_number/ibm/console in
your web browser unless you have changed the port number.
Type http://server_name:port_number/ibm/console in
your web browser unless you have changed the port number.
- Click .
- Under Security, click JAX-WS
and JAX-RPC
security runtime.
Mixed-version environment: In
a mixed node cell with a server using
WebSphere Application Server version 6.1 or
earlier, click
Web services: Default bindings for Web Services
Security.
mixv
- Under Additional
properties, click Key locators
- Click New to configure a new
key locator. Select the box next to a key locator name and click Delete to
delete a key locator; or click the name of a key locator to edit its
configuration. If you are configuring a new key locator
or editing an existing one, complete the following steps:
- Specify
a name for the key locator in the Key locator
name field.
- Specify a name for the key locator
class implementation in the Key
locator class name field.
WebSphere Application Server has the following
default key locator class implementations:
- com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
- This class, used by the response sender, maps an authenticated
identity to a key. If encryption is used, this class is used to locate
a key to encrypt the response message. The com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
class has the capability to map an authenticated identity from the
invocation credential of the current thread to a key that is used
to encrypt the message. If an authenticated identity is present on
the current thread, the class maps the ID to the mapped name. For
example, user1 is mapped to mappedName_1.
Otherwise, name="default". When a matching key is
not found, the authenticated identity is mapped to the default key
specified in the binding file.
- com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
- This class, used by the response receiver, request sender, and
request receiver, maps a name to an alias. Encryption uses this class
to obtain a key to encrypt a message and digital signature uses this
class to obtain a key to sign a message. The com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator class
maps a logical name to a key alias in the key store file. For example,
key #105115176771 is mapped to CN=Alice, O=IBM, c=US.
- Specify the password that is used to access
the keystore password
in the Key store password field.
This field
is optional is the key locator does not use a keystore.
- Specify
the path name that is used to access the keystore in the Key
store path field.
This field is optional is the key
locator does not use a keystore. Use ${USER_INSTALL_ROOT} as
this path expands to the WebSphere Application Server path on your machine.
- Select a keystore type from the Key store type field.
This
field is optional is the key locator does not use a keystore. Use
the JKS option if you are not using the Java Cryptography Extensions (JCE) keystore
type, and use JCEKS if you are using the JCE
type.
- Configure
default key locators at the cell level.
- Open
the administrative console.
Type http://localhost:port_number/ibm/console in
your web browser unless you have changed the port number.
Type http://server_name:port_number/ibm/console in
your web browser unless you have changed the port number.
- Click .
- Under Additional properties, click Key locators.
- Click New to configure
a new
key locator; select the box next to a key locator name and click Delete to
delete a key locator; or click the name of a key locator to edit its
configuration. If you are configuring a new key locator
or editing an existing one, complete the following steps:
- Specify
a name for the key locator in the Key locator
name field.
- Specify a name for the key locator
class implementation in the Key
locator class name field.
WebSphere Application Server has the following
default key locator class implementations:
- com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
- This class, used by the response sender, maps an authenticated
identity to a key. If encryption is used, this class is used to locate
a key to encrypt the response message. The com.ibm.wsspi.wssecurity.config.WSldKeyStoreMapKeyLocator
class has the capability to map an authenticated identity from the
invocation credential of the current thread to a key that is used
to encrypt the message. If an authenticated identity is present on
the current thread, the class maps the ID to the mapped name. For
example, user1 is mapped to mappedName_1.
Otherwise, name="default". When a matching key is
not found, the authenticated identity is mapped to the default key
specified in the binding file.
- com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
- This class, used by the response receiver, request sender, and
request receiver, maps a name to an alias. Encryption uses this class
to obtain a key to encrypt a message and digital signature uses this
class to obtain a key to sign a message. The com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator
class maps a logical name to a key alias in the key store file. For
example, key #105115176771 is mapped to CN=Alice, O=IBM, c=US.
- Specify the password that is used to access
the keystore password
in the Key store password field.
This field
is optional is the key locator does not use a keystore.
- Specify
the path name that is used to access the keystore in the Key
store path field.
This field is optional is the key
locator does not use a keystore. Use ${USER_INSTALL_ROOT} as
this path expands to the WebSphere Application Server path on your machine.
- Select a keystore type from the Key store type field.
This
field is optional if the key locator does not use a keystore. Use
the JKS option if you are not using the Java Cryptography Extensions (JCE) keystore
type, and use JCEKS if you are using the JCE
type.